Damon Cortesi's blog

Musings of an entrepreneur.

What a Web App Scanner WON'T Catch!

| Comments

There was mention recently on SecuriTeam about the lack of effectiveness of web application scanners. While they are effective for identifying the low-hanging fruit, I agree that as applications have advanced web application scanners have not kept up.

Web application scanners are now so bad that I won’t even use them if they’re free. At this point, I am officially divorced from automated application scanners. What I’ve been using, primarily, is Proxies and Firefox browser plugins. –Dmitry

Although I have not stopped using them completely (they’ll pick up the easily identifiable XSS and SQL injection), their effectiveness is definitely limited. So without further ado, let me drop a list I came up with in the past five minutes of;

What a web application scanner won’t find!

  • Malicious file uploads via standard file upload functionality - Malicious ASP or PHP file
  • Blind SQL injection that relies on other stateful variables (revision app that increments a number on the page on the server-side)
  • Authorization problems - This user _SHOULD NOT_ be able to access this customer record
  • Advanced forms of cross-site scripting - Special encoding - Attacks that require heavy manipulation for JS execution
  • Broken Authentication - Similar to authorization, it is difficult for a web application to tell whether a real user really needs access
  • Poor Encryption Mechanisms - One of the huge downfalls to any application is custom “encryption” that is poorly designed. Webapp Scanners won’t catch this
  • Parameter Manipulation - Oh, you meant $500 instead of $0.05?! No way an app scanner can catch this

So there you go, just a few of the things that your $20,000 web app scanner won’t be able to catch. There are more, but that was the list that came immediately to mind.

p.s. On a side note, OWASP (the Open Web Application Security Project) recently launched a new initiative called the OWASP Spring of Code 2007 (SpoC 007) which will sponsor (Open Source) Web Application Security projects with (at least) $110,000 USD.  Here’s your chance to make the tools better!